The process of device discovery or designating a firewall device for central management by BIG-IQ Security is called discovery.
After discovery, BIG-IQ Security provides a way to view device properties and to perform device-specific and firewall-specific actions through a centralized management platform.
BIG-IQ Security displays devices under management in the Devices panel.
Before discovering BIG-IP devices, you must install specific components required by the BIG-IQ system on each BIG-IP device you want to manage. Installing these components results in a REST framework that supports the required Java-based management services.
Once a device is under central management, the device configuration is stored in the BIG-IQ Security database, which is the authoritative source for all configuration entities (shared objects). After that point, do not manage the firewall device locally unless there is an exceptional need.
During discovery, Cancel Task appears in the dialog box after the task has identified the device and started importing the firewall configuration. If you click Cancel Task, the import is canceled and management authority over the device is rescinded.
|Device Address||Enter the internal self IP for the BIG-IP device.|
|Cluster Name||Enter a name for the cluster. Optional, but highly recommended.|
|User Name||Enter the user's login name. For example: fw_admin.|
|Password||Enter the password for this user.|
|Snapshot||Ensure that this check box is selected (the default) to take a snapshot of the configuration on the BIG-IP device before importing.|
|Auto Update Framework||Select this check box to update the REST framework installed on the
It is required that certain BIG-IQ system components be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework on the BIG-IP devices that support the required Java-based management services. To ensure the framework is up-to-date, select this check box.
The process of bringing a device under central management is known as declaring management authority (DMA). The firewall administrator initiates DMA through device discovery and import.
The DMA process is modal. Once the process starts, you are blocked from performing any other tasks or interacting with BIG-IQ Security in any way until the process is complete or canceled. Before starting a discovery or reimport process, it is important to understand how you will resolve any conflicts that arise.
A conflict is found when two shared objects have the same name but different data. Conflicts prevent the discovery process from running to completion.
In the event of a conflict, BIG-IQ Security displays the Resolve Conflicts dialog box, which lists all conflicts found. The Resolve Conflicts dialog box also includes an option you can use to apply a single action to all conflicts listed.
Although conflict resolution often results in changes to either the BIG-IP configuration or the BIG-IQ configuration, no changes are applied until they are deployed. You can deploy changes when a deployment task displays a status of READY TO DEPLOY.
This table lists and describes the options for resolving conflicts.
|On BIG-IP (device IP address)||Name of the shared object on the BIG-IP device.|
|On BIG-IQ||Name of the shared object on the BIG-IQ Security system.|
|Type||Type of shared object in conflict: address list, port list, rule list, policy, or schedule.|
|Action||Select one of the following:
Device properties are displayed for informational purposes and are read-only, except the Snapshot and Auto Update Framework check boxes.
|Host Name||Displays the fully-qualified domain name (FQDN), identified at discovery time.|
|Cluster Name||Displays the BIG-IP device cluster name, provided by the user at discovery time.|
|IP Address||Displays the IP address of the BIG-IP device, used for communication between it and the BIG-IQ Security system.|
|Product||Identifies the product.|
|Version||Identifies the version and hotfix level of the device under management.|
|Snapshot||Check box used to invoke a snapshot prior to reimporting the BIG-IP device's working configuration.|
|Auto Update Framework||Check box used to update the REST framework on the BIG-IP device.|
From the Devices panel, you can display an inventory of device properties and accompanying details for all devices under BIG-IQ Security central management. For further use, you can export this inventory to a CSV file.
Once configurations are in sync between BIG-IP devices and the BIG-IQ Security system, there is seldom a need to reimport a BIG-IP device.
Some possible reasons to reimport include:
If any of these reasons occur, you must reimport to reconcile any changes with the configuration maintained on BIG-IQ Security. If you do not reconcile changes, a subsequent deployment process will overwrite any changes made locally.
The reimport process is modal. Once reimport starts, the process blocks you from performing any other tasks or interacting with BIG-IQ Security in any way until the process completes or is canceled.
During reimport, a Cancel Task button appears in the dialog box after the task has identified the device and started importing the firewall configuration. If you click Cancel Task, the import is canceled and management authority over the device is rescinded.
Possible configuration sets for a firewall device centrally managed by the BIG-IQ Security system include:
The following table displays states that occur during the discovery process.